OMEGAMON 3270 Classic interface security

You can provide security for the OMEGAMON® 3270 Classic interface by using a combination of security types and implementations. You must implement security at both the product level and the command level. Product-level security provides user ID and password validation to detect and prevent unauthorized access to the OMEGAMON product. Command-level security prevents the unauthorized use of sensitive commands from OMEGAMON 3270 Classic panels and by OMEGAMON users.

The OMEGAMON 3270 Classic interface is available for the following OMEGAMON products: OMEGAMON for CICS, OMEGAMON for Db2 Performance Expert, OMEGAMON for IMS, OMEGAMON for z/OS, and IBM Z OMEGAMON Monitor for z/OS.

You can implement product-level (logon access and authorization) and command-level security using either external or internal security, or a mixture, as follows:
  • External security uses another security package (such as IBM RACF®, CA-ACF2, or CA-TOP SECRET) to control access. External security can be used for securing logon validation and command validation.
  • Internal security uses the security included within the product to control access for commands. By default, OMEGAMON command validation is controlled by an internal security table. Internal product security is not available for logon validation.
  • A mixed implementation mixes the security used at the product level and the command level. For example, you can use RACF for logon authentication, and then use internal security at the command level.
If security is enabled on a z/OS hub monitoring server, you must use the same security implementation for the OMEGAMON 3270 Classic interface as is used for the hub.

External security and logon validation

The OMEGAMON 3270 Classic interface uses the System Authorization Facility (SAF) interface to implement external security. SAF provides a system interface to z/OS security software, such as IBM RACF, CA-ACF2, and CA-TOP SECRET. The method by which you set up the SAF interface depends on the type of authentication that you intend to use when logging on to the OMEGAMON 3270 Classic interface, as follows:

  • If you will be using traditional eight-byte mainframe passwords only, you must use an external security exit to implement the SAF interface. The security exit is a user-customized assembler module that generally defines the SAF security class and SAF application ID for OMEGAMON Classic started tasks. A sample SAF exit is provided, which might require modification to conform to installation standards.
  • If you will be using passphrase and multi-factor authentication, OMEGAMON implements the SAF interface without the use of external security exits. The SAF security class and SAF application ID are defined as startup parameters to the OMEGAMON logon program. In order for a user ID to use a passphrase, the user ID must be set up in the security system.
    Note: Passphrase support for the OMEGAMON 3270 Classic interface is introduced with APAR OA57133 (PTF UA98944).

See the configuration documentation for the specific OMEGAMON monitoring products for instructions on implementing security for the OMEGAMON 3270 Classic interface. If you will be using passphrase and multi-factor authentication, see also How to: Configure passphrase and MFA support in the OMEGAMON 3270 Classic interface.

Related topics: